Re: re OpenBSD on booting from CDROM

[CyberPsychotic <mlists@gizmo.kyrnet.kg>]

~ Wrong parts: there is no /usr/src/ on a firewall.  Kernels are built
~ elsewhere.

hmm.. until the firewall machine architecture type is the only one in
office. I was already asking if that's possible to install a compiler
which could create binaries for other architectures, but I got no
responce, so I assume the answer isn't known, or this just isn't possible. :) 

~  Much of /etc/ and /* are set immutable (like, say, the
~ kernel, and many solid config files); /sbin and /bin are immutable.
~ You need to write to /var, /tmp and /.  That's all.

Ah, yes. I was going actually to say that you don't need to be able to
write `/', but that's the place where you very likely would need to able
to create mount points, place kernel and other stuff. Is this why you need
to write `/'?

~ /tmp and /var are mounted noexec and nodev on mine.  That flies in the
~ face of the chrooted named, but I run named chrooted to a RO /JAIL
~ partition with a small data area that's rw under that (remounted from
~ /var because I chose not to dedicated a partition to that).

would you mind to eleborate this thing abit?
so you have
/JAIL
   +--/some_writable_area

which is actually mounted to

/var/foo

right?
hmm.. the only possibility I see how to do this is via enabling nfs
(*ouch*) on firewall machine and mount it as localhost:/var/foo. Is there
any other possibility?

~ 
~ /home?  Well, it's debatable whether it should exist.  If so,
~ mounted noexec, nodev, nonothing.

yeah. Indeed. Also it's not good idea to have users who you can not trust
on your firewall, because they could perforate your firewall fairly well 
by setting up port-bounces :)